Microsoft pays out another bumper bug bounty

Microsoft has paid out a $100,000 bounty to security researcher Yang Yu for mitigation bypass information, bringing the programme total to almost $240,000.

Microsoft has paid out another $100,000 Bounty Hunter prize to a security researcher, this time for the discovery of a mitigation bypass vulnerability in the company's latest operating system software.

Microsoft, as all good software houses should, constantly looks to improve the security and reliability of its products. Recent versions of its Windows operating system have come with varied new security features, some of which - like sandboxing in the bundled internet browser - are designed to mitigate the impact of successful exploitation of as-yet unknown vulnerabilities. To aid it in its mission, the company follows a common industry practice of offering security researchers on both sides of the moral fence cash payouts if they provide advanced notification of new vulnerabilities and flaws - and give Microsoft a chance to fix them before the details are made public.

The latest payout in Microsoft's so-called Bounty Hunter programme has been issued to Yang Yu, a security engineer at NSFocus Security Labs. The vulnerability which earned Yu a whopping $100,000 has been detailed by Microsoft as variants on the theme of mitigation bypass - in other words, a means of circumventing protections put in place to prevent widespread exploitation of a security hole. Mitigation bypass vulnerabilities are considered the most critical to the security of Microsoft's software, and usually fetch $25,000 in the Bounty Hunter programme if variants of already-known issues - meaning that Yu's $100,000 likely comes as the result of discovering four or more variants.

The payout brings the total value of Microsoft's Bounty Hunter programme to an impressive $238,500 so far. A full list of recipients and the value of their prizes can be found on the official website.